This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to thefollowing package versions:

Ubuntu 5.10: geoip-bin 1.3.10-1ubuntu0.1

Ubuntu 6.06 LTS: geoip-bin 1.3.14-2ubuntu0.1

Ubuntu 6.10: geoip-bin 1.3.17-1ubuntu0.1

In general, a standard system upgrade is sufficient to effect thenecessary changes.

Details follow:

Dean Gaudet discovered that the GeoIP update tool did not validate the filename responses from the update server. A malicious server, or man-in-the-middle system posing as a server, could write to arbitrary files with user privileges.